Dutch chip maker NXP has lost their Dutch court battle to obtain an injunction in an attempt to prevent students from the University of Nijmegen in the Netherlands from publishing the results of a study into the security of the Oystercard.
The students, Bart Jacobs and Wouter Teepe, are researchers who plan on publishing the results of their research this October, and planned and carried out an audacious breach of Oystercard security earlier this year.
Using a simple scanner attached to a laptop, the academics scanned an Oystercard reader at a London Underground station and obtained the encrypted information contained therein. Using this, they reversed-engineered the algorithm at the heart of the encryption which proved the key to unlocking the Oystercard’s security. They were then able to clone the chip, the Mifare Classic RFID, and make “clone cards” which could be topped up via computer without spending money. More worryingly, they also managed to engineer a scanner which could “read” the cards of commuters standing nearby and clone those as well.
The results of this experiment, reported in Holland in January, sparked a security alert which saw armed guards outside the Dutch parliament, which uses the Mifare Classic technology in its own security cards. NXP have rolled out a new version of the Mifare chip based on a new, secure, algorithm, but it is too late for the millions of Oystercard holders who all have a card containing the insecure chip. If the mathematical algorithms forming the basis of the research are published, the fear is that it could produce a how-to guide for cyber-criminals eager to break the Oyster code.
Students from London’s own UCL have also carried out research into the security of the Mifare Classic and other RFID cards, and have concluded that they can breach security in a mere 12 seconds. London Underground maintain that the cloning of Oystercards is illegal, but the results of this research may prove tempting to criminals using increasingly sophisticated methods of perpetrating crime. The decision of the Dutch courts poses an interesting question – can academic research be withheld in the public interest? While in this case, the fact that other universities have cracked the code has gone in the students' favour, the issue is a live one in technology, and will become ever-more relevant in a digital world.
Critics of the legal action argue that researchers at the University of Virginia, whose own research into the hacking of RFID chips was published last November, have struck the true hammer blow to the security of the chips, and that the action by NXP was doomed to failure. However, with London’s billion-pound transport system geared towards the Oystercard, how will it respond?